diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..4dc51e8
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+vault/
diff --git a/tasks/main.yml b/tasks/main.yml
index c10daf8..ce7b5f4 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,3 +1,8 @@
+- name: Include sensitive info
+  include_vars:
+        dir: '/vault/main.yml'
+  tags:
+        - vault
 - name: PostgreSQL listen on private subnet
   replace:
         path: /etc/postgresql/12/main/postgresql.conf
@@ -10,10 +15,10 @@
   become: yes
   become_user: postgres
   postgresql_user:
-        port: '{{ services.postgres.port }}'
+        port: '{{ postgres.port }}'
         db: postgres
-        name: "{{ postgres.user }}"
-        password: "{{ postgres.password }}"
+        name: "{{ vault_postgres.user }}"
+        password: "{{ vault_postgres.password }}"
   tags:
         - postgres
         - vault
@@ -21,12 +26,12 @@
   become: yes
   become_user: postgres
   postgresql_user:
-        port: '{{ services.postgres.port }}'
+        port: '{{ postgres.port }}'
         db: postgres
         name: '{{ item }}'
         role_attr_flags: "LOGIN,NOSUPERUSER,NOCREATEROLE,NOCREATEDB,NOREPLICATION,NOINHERIT"
-        password: "{{ postgres.dbpass[item] }}"
-  loop: "{{ services.postgres.databases }}"
+        password: "{{ vault_postgres.dbpass[item] }}"
+  loop: "{{ postgres.databases }}"
   tags:
         - postgres
         - vault
@@ -36,7 +41,7 @@
   postgresql_db:
         name: '{{ item }}'
         owner: '{{ item }}'
-  loop: "{{ services.postgres.databases }}"
+  loop: "{{ postgres.databases }}"
   tags:
         - postgres
         - vault